[runtime] Don't call GetArrayKeys on proxies.

This fixes another bug in Array.prototype.sort (when the array is not a
JSArray and there is a proxy on the prototype chain).

R=cbruni@chromium.org
BUG=chromium:596866
LOG=n

Review URL: https://codereview.chromium.org/1842563004

Cr-Commit-Position: refs/heads/master@{#35101}

src/js/array.js

@@ -1049,7 +1049,7 @@ function InnerArraySort(array, length, comparefn) {
   var CopyFromPrototype = function CopyFromPrototype(obj, length) {
     var max = 0;
     for (var proto = %_GetPrototype(obj); proto; proto = %_GetPrototype(proto)) {
-      var indices = %GetArrayKeys(proto, length);
+      var indices = IS_PROXY(proto) ? length : %GetArrayKeys(proto, length);
       if (IS_NUMBER(indices)) {
         // It's an interval.
         var proto_length = indices;
@@ -1077,7 +1077,7 @@ function InnerArraySort(array, length, comparefn) {
   // elements in that range.
   var ShadowPrototypeElements = function(obj, from, to) {
     for (var proto = %_GetPrototype(obj); proto; proto = %_GetPrototype(proto)) {
-      var indices = %GetArrayKeys(proto, to);
+      var indices = IS_PROXY(proto) ? to : %GetArrayKeys(proto, to);
       if (IS_NUMBER(indices)) {
         // It's an interval.
         var proto_length = indices;

test/mjsunit/array-sort.js

@@ -466,7 +466,16 @@ function TestSortToObject() {
 TestSortToObject();
 
 function TestSortOnProxy() {
-  var p = new Proxy([2,1,3], {});
-  assertEquals([1,2,3], p.sort());
+  {
+    var p = new Proxy([2,1,3], {});
+    assertEquals([1,2,3], p.sort());
+  }
+
+  {
+    function f() { return arguments };
+    var a = f(2,1,3);
+    a.__proto__ = new Proxy({}, {});
+    assertEquals([1,2,3], [...(Array.prototype.sort.apply(a))]);
+  }
 }
 TestSortOnProxy();